Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication

Overview

caddy-security

Security App and Plugin for Caddy v2. It includes:

  • Authentication Plugin for implementing Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML Authentication
  • Authorization Plugin for HTTP request authorization based on JWT/PASETO tokens
  • Credentials Plugin for managing credentials for various integrations

Please show your appreciation for this work and

Please consider sponsoring this project!

Please ask questions either here or via LinkedIn. I am happy to help you! @greenpau


⚠️ Please open an issue if you need help migrating configurations from caddy-auth-portal and caddy-authorize (aka caddy-auth-jwt).


Documentation: authp.github.io

Security Policy: SECURITY.md

Please see other plugins:

Table of Contents

Overview

The caddy-security app allows managing authentication portal, authorization security policy and credentials. The plugin enforces the security policy on endpoints with authorize keyword and serves authentication portal with authenticate keyword.

The app and plugin use Authentication, Authorization, and Accounting (AAA) Security Functions (SF) from github.com/greenpau/aaasf.

Getting Started

The configuration happens in Caddy's global options block.

  • Setting Up Local Authentication: Video and Config Gist
  • Login with App Authenticator and Yubico U2F: Video

Download Caddy with the plugins enabled:

Credentials

The following configuration adds SMTP credentials to security app. Subsequently, the app and plugin will be able to use the credentials.

{
  security {
    credentials email smtp.outlook.com {
      address outlook.office365.com:993
      protocol smtp
      username {env.SMTP_USERNAME}
      password {env.SMTP_PASSWORD}
    }
  }
}

Authentication

The following configuration adds authentication portal.

{
  security {
    authentication portal myportal {
      crypto default token lifetime 3600
      crypto key sign-verify {env.JWT_SECRET}
      backend local {env.HOME}/.local/caddy/users.json local
      cookie domain myfiosgateway.com
      ui {
        links {
          "My Website" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
          "My Identity" "/whoami" icon "las la-user"
        }
      }
      transform user {
        match origin local
        action add role authp/user
        ui link "Portal Settings" /settings icon "las la-cog"
      }
    }
  }
}

auth.myfiosgateway.com {
  authenticate * with myportal
}

Authorization

The following configuration adds authorization functionality and handlers.

{
  security {
    authorization policy mypolicy {
      set auth url https://auth.myfiosgateway.com/
      crypto key verify {env.JWT_SECRET}
      allow roles authp/admin authp/user
    }
  }
}

www.myfiosgateway.com {
  authorize with mypolicy
  root * {env.HOME}/public_html
  file_server
}

User Interface

User Login

Portal

User Identity (whoami)

User Settings

Password Management

Add U2F Token (Yubico)

Add Authenticator App

Multi-Factor Authentication

Comments
  • nginx style Forward Auth example.

    nginx style Forward Auth example.

    Hello. https://github.com/caddyserver/caddy/issues/2894 is closed citing this project's existence. Nginx' auth_request directive (https://nginx.org/en/docs/http/ngx_http_auth_request_module.html) works with a simple HTTP response code. Is this kind of functionality available? If yes, can you please direct me to the relevant documentation.

    Another question while we're at it. It seems caddy-security is now a single module that includes the former authorize and portal components. Is it still possible to build it without the portal for people who already have an external authentication system in place?

    question oauth 
    opened by xpufx 50
  • question: How do roles work now

    question: How do roles work now

    Previously utilizing caddy-authorize, this line for roles worked

    allow roles User Admin

    How would this be implemented in caddy-security, the docs don't seem to be updated yet. The repo's description includes this snippet, allow roles authp/admin authp/user, but am unsure how to implement this in my existing Caddyfile, specifically I am using organizr's jwt, https://docs.organizr.app/features/server-authentication

    bug question migration authorization 
    opened by MVethana 43
  • What JWKS key types are supported in the generic OAuth2 backend?

    What JWKS key types are supported in the generic OAuth2 backend?

    New to Caddy, new to OAuth & OIDC so brace yourselves. I'm trying to add OAuth/OIDC authentication to a site. I'm using this config file as a reference. Things are going ok to start with, here's where (I think) I'm at:

    1. It looks like Caddy is hitting my metadata_url and finding the jwks_uri field.
    2. Once it hits the jwks_uri, it appears to be reading the first key in the array whose kty (key type) is EC.
    3. Then I get this message and exit with code 1:

    provision security: backend configuration for "myportal" portal failed: failed to fetch jwt keys for OAuth 2.0 authorization server: invalid jwks key: unsupported key type EC for <my_key>

    where <my_key> is the EC key found at the jwks_uri. So my questions are:

    1. Is the EC kty (keytype) supported?
    2. If not, can I direct Caddy to use another key from the jwks_uri?
    3. Have I misunderstood this completely?
    oauth feature 
    opened by irishismyname 42
  • `auth provider returned error, user authorization failed` being spammed in Caddy log

    `auth provider returned error, user authorization failed` being spammed in Caddy log

    Describe the issue I'm trying to migrate my config over to Caddy Security, and I think I have most things working now, but I'm getting this message constantly spammed in Caddy's log:

    {"level":"error","ts":1642791051.2186432,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed"}
    

    The interesting thing is, it doesn't seem to affect the functionality, because I'm able to login just fine.

    Configuration

    { # Global configuration
        acme_dns cloudflare REDACTED
        email REDACTED
        order authorize before reverse_proxy
        order authenticate before authorize
        security {
            credentials email smtp.sendgrid.net {
                address smtp.sendgrid.net:587
                protocol smtp
                username {env.SMTP_USERNAME}
                password {env.SMTP_PASSWORD}
            }
            authentication portal myportal {
                crypto default token lifetime 3600
                # crypto key sign-verify {env.JWT_SECRET}
                backend local /etc/caddy/auth/local/users.json local
                        cookie domain haddock.cc
                ui {
                    links { # Icons here -> https://icons8.com/line-awesome
                        "Cloud" https://cloud.haddock.cc icon "las la-cloud"
                        "Media" https://media.haddock.cc icon "las la-photo-video"
                        "Get TV Shows" https://tv.haddock.cc icon "las la-tv"
                        "Get Movies" https://movies.haddock.cc icon "las la-video"
                    }
                }
                transform user {
                    match origin local
                    action add role authp/user
                    ui link "Portal Settings" /settings icon "las la-cog"
                }
            }
            authorization policy mypolicy {
                set auth url https://auth.haddock.cc/
                allow roles authp/admin authp/user
            }
        }
        # }
        # crowdsec {
        #     api_url http://crowdsec:8180/
        #     api_key REDACTED
        #     ticker_interval 15s
        # }
    }
    
    auth.haddock.cc {
        authenticate * with myportal
    }
    
    cloud.haddock.cc {
        authorize with mypolicy
            reverse_proxy nextcloud:80 {
            header_down Strict-Transport-Security "max-age=15552000; includeSubDomains"
        }
        rewrite /.well-known/carddav /remote.php/dav
        rewrite /.well-known/caldav /remote.php/dav
    }
    
    media.haddock.cc {
        authorize with mypolicy
        reverse_proxy jellyfin:8096
    }
    
    indexers.haddock.cc { # Prowlarr
        authorize with mypolicy
        reverse_proxy prowlarr:9696
    }
    
    tv.haddock.cc { # Sonarr
        authorize with mypolicy
        reverse_proxy sonarr:8989
    }
    
    movies.haddock.cc { # Radarr
        authorize with mypolicy
        reverse_proxy radarr:7878
    }
    
    localhost:8112 { # QBittorrent
        reverse_proxy torrent:8080
    }
    

    Version Information

    crowdsec v0.2.0
    dns.providers.cloudflare v0.0.0-20210607183747-91cf700356a1
    http.authentication.providers.authorizer v1.0.1
    http.handlers.authenticator v1.0.1
    http.handlers.crowdsec v0.2.0
    layer4 v0.0.0-20201230212151-6587f40d4eb6
    layer4.matchers.crowdsec v0.2.0
    layer4.matchers.ip v0.0.0-20201230212151-6587f40d4eb6
    security v1.0.1
    

    Expected behavior The Caddy log isn't filled up with the error.

    bug 
    opened by poperigby 33
  • feature: Nextcloud OIDC support

    feature: Nextcloud OIDC support

    This is a continuation of https://github.com/greenpau/caddy-auth-portal/issues/227#. I think it would be a useful feature to be able to login to Nextcloud with Caddy Security account, and for Caddy Security to automatically create new Nextcloud users based on Caddy Security users. This can be done with OIDC, correct?

    oauth feature oidc oauth-nextcloud 
    opened by poperigby 30
  • question: Email setup

    question: Email setup

    Trying to get email working for user registration. I do not see any errors in the logs, but get email error when a user tries to register. Below is the relevant config I am using. Guessing I don't quite have the config correct, but not sure what I am missing.

    	security {
    		credentials [email protected] {
    			username [email protected]
    			password <app_passowrd>
    		}
    		messaging email provider gmail {
    			address smtp.gmail.com:587
    			protocol smtp
    			credentials [email protected]
    			sender [email protected] "My Auth Portal"
    		}
    		authentication portal myportal {
    			enable source ip tracking
    			cookie lifetime 86400
    			crypto default token lifetime 3600
    			crypto key sign-verify <redacted>
    			cookie domain mydomain.net
    			backend local /config/caddy/users.json local
    			transform user {
    				match roles registered
    				require mfa
    			}
    			registration {
    				dropbox /config/caddy/registrations.json
    				title "User Registration"
    				code "Test"
    				require domain mx
    				email provider gmail
    			}
    ...
    
    question need triage 
    opened by samcro1967 27
  • question: skip kid ckeck option?

    question: skip kid ckeck option?

    A clear and concise description of what you want to accomplish.

    I am trying to authenticate to an (apparently) broken oauth2 server which does not provide the kid in the id_token.

    The error in the logs is this:

    {"level":"warn","ts":1647959353.70759,"logger":"security","msg":"Authentication failed","session_id":"lbcuPQRrdw8Sdwi7jCuohVyiLsViBe8wXoPGY0zsGrylm","request_id":"759dd92c-3464-4568-9dc8-6e90ffd6b93b","error":"failed validating OAuth 2.0 access token: OAuth 2.0 failed to parse id_token: OAuth 2.0 kid not found in id_token"}
    

    I have verified the id_token (by enabling debug in the caddy config), it does not contain the kid - see the id_token header below:

    {
      "typ": "JWT",
      "alg": "RS256"
    }
    

    PS: Github and gitlab configurations are working just fine, but I do get the kid in their id_token. PPS: I also had a look on #48 and tried required_token_fields access_token with no luck. I get the same error.

    oauth 
    opened by teodorescuserban 25
  • question: how to skip the ui an go straight to OIDC provider login page

    question: how to skip the ui an go straight to OIDC provider login page

    A clear and concise description of what you want to accomplish.

    Hi, can we configure the plugin to skip the UI portal and directly redirect the unauthenticated user to OIDC provider login page?

    Thanks

    question need triage 
    opened by rucciva 21
  • breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url

    breakfix: Access token set without expiry, still gets 401, and doesn't redirect to provided auth url

    Describe the issue

    After logging in at https://auth.MYDOMAIN.com, the auth portal sets a cookie without a Max-Age or expires attribute set, meaning it only lives as long as the session. Example set-cookie header in the response of /oauth2/github/authorization-code-callback?code=OAUTH_CODE... after logging in with github:

    set-cookie: access_token=eyJhbGciOiJI....; Domain=MYDOMAIN.com; Path=/; Secure; HttpOnly;
    

    Also, the access token itself doesn't seem to work at all with my current configuration, and I get a 401 on the example domain of this config https://sonarr.MYDOMAIN.com, with error logs like:

    {"level":"debug","ts":1642792571.8178122,"logger":"security","msg":"token validation error","session_id":"cO9Fu3cuNuNg5ufIugXgZphXU5MSzEFhfByBX0ojPb8","request_id":"26a2f6a9-51fb-4be8-92ac-85f40eefbfd5","error":"token validator: invalid token: keystore: failed to parse token"}
    {"level":"error","ts":1642792571.8178322,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed"}
    

    and it just redirects to https://sonarr.MYDOMAIN.com/?redirect_url=https%3A%2F%2Fsonarr.MYDOMAIN.com%2F, rather than redirecting to https://auth.MYDOMAIN.com as I'd expect.

    My very very similar config previously using caddy-authorize and caddy-auth-portal worked fine, I've basically just moved around the attributes to be inline with how the new config format looks, and I used the jumpcloud config as my example.

    Configuration

    {
            debug
            order authorize before basicauth
            email {$CF_EMAIL}
            auto_https ignore_loaded_certs
    
            security {
                    authentication portal mainportal {
                            crypto default token lifetime 2419200
                            crypto key sign-verify {$CADDY_AUTH_TOKEN_SECRET}
                            cookie domain {$DOMAIN}
                            backend local {$CADDY_AUTH_USERS_PATH} local
                            backend github {$CADDY_GITHUB_OAUTH_CLIENT_ID} {$CADDY_GITHUB_OAUTH_CLIENT_SECRET}
                            transform user {
                                    exact match sub github.com/johnpyp
                                    action add role authp/admin
                                    action add role superadmin
                            }
                            transform user {
                                    match email [email protected]
    
                                    action add role authp/admin
                                    action add role superadmin
                            }
                    }
    
                    authorization policy mainpolicy {
                            set auth url https://auth.{$DOMAIN}
                            allow roles admin superadmin authp/admin
                            crypto key verify {$CADDY_AUTH_TOKEN_SECRET}
                    }
            }
    }
    
    (cf_tls) {
            tls {
                    issuer zerossl {
                            resolvers 1.1.1.1
                            dns cloudflare {$CF_API_TOKEN}
                    }
            }
    }
    
    auth.{$DOMAIN} {
            import cf_tls
            route {
                    authenticate * with mainportal
            }
    }
    
    (protected_route) {
            {args.0}.{$DOMAIN} {
                    import cf_tls
                    authorize with mainpolicy
                    route {
                            reverse_proxy {args.1}
                    }
            }
    }
    
    import protected_route sonarr sonarr:8989
    // ...
    

    Version Information

    Should be latest everything, just pulled a few minutes ago with this docker image:

    FROM caddy:2-builder AS builder
    
    RUN xcaddy build \
        --with github.com/greenpau/caddy-security \
        --with github.com/caddy-dns/cloudflare
    
    FROM caddy:2
    
    COPY --from=builder /usr/bin/caddy /usr/bin/caddy
    
    bug authorization 
    opened by johnpyp 18
  • question: inject headers from userinfo object

    question: inject headers from userinfo object

    @greenpau, thank you for your awesome work!

    Everything seems to be working correctly talking to a quaint oauth2 server.

    To have a complete and useful setup, there is one piece of the puzzle that is left for me and that is how do I inject custom headers to downstream from the userinfo object.

    And of course, I would really like to be able to use those details in the caddy auth policies.

    In my setup I currently use vouch to get additional information from the userinfo object.

    I have attempted inject header "X-Custom-Projects" from projects with no success (I get no error either, but I don't seem to get the new header).

    I do see two additional headers when I add inject headers with claims to the config, unfortunately that is not quite enough for my setup.

    Also inject header "X-Custom-Roles" from roles works (although I get the caddy-secutiry roles, not the ones in the userInfo object).

    Below is an example of userInfo:

    {
        "sub": "37",
        "email": "[email protected]",
        "email_verified": true,
        "name": "john.doe.developer",
        "preferred_username": "john.doe.developer",
        "zoneinfo": "Europe\\/Berlin",
        "profile": {},
        "display_name": "John Doe",
        "groups": [
            "PROJ1",
            "PROJ2",
            "PROJ3",
            "mailhog",
            "snapshots",
            "developer:dev-004",
            "developer:mailhog",
            "developer:snapshots",
            "developer:PROJ1",
            "developer:PROJ2",
            "developer:PROJ3"
        ],
        "departments": [
            "DEPT1"
        ],
        "projects": [
            "PROJ1",
            "PROJ2",
            "PROJ3",
        ],
        "services": [
            "dev-004",
            "mailhog",
            "snapshots"
        ],
        "roles": [
            "authenticated",
            "nomfa"
        ]
    }
    
    question need triage 
    opened by teodorescuserban 17
  • feature: LDAP support for GLAuth schema

    feature: LDAP support for GLAuth schema

    Thank you for this awesome project, unfortunately I am having some issues with getting it to run with an LDAP backend:

    Describe the issue

    An attempt to log in over Caddy Security with an LDAP backend consisting of glauth-ui for management and glauth (https://github.com/glauth/glauth) as the LDAP provider fails with right credentials. The credentials were succesfully used by other means of connecting to glauth

    Configuration

    Paste full Caddyfile below:

    (Domain names and unrelated services cut out)

    {
      acme_ca https://acme-v02.api.letsencrypt.org/directory
      email   [...]
      debug
    
      security {
        authentication portal myportal {
          crypto default token lifetime 3600
          crypto key sign-verify [...]
           
          backends {
            ldap_backend {
              method ldap
              realm [...]
              servers {
                ldap://login_system_glauth_1:389 ignore_cert_errors posix_groups
              }
              attributes {
                name givenname
                surname sn
                username name
                #member_of primarygroup #memberOf
                email mail
              }
              username "CN=[...],DC=[...],DC=[...],OU=[...]"
              password "[...]"
              search_base_dn "DC=[...],DC=[...],OU=[...]"
              search_filter "(|(name=%s)(mail=%s))"
              groups {
                "CN=people,OU=[...],DC=[...],DC=[...]" people
                "CN=5501,OU=[...],DC=[...],DC=[...]" people2
              }
            }
          }
    
          cookie domain [...]
          ui {
            links {
              "My Website (super secret)" [...]/foo
              "My Identity" "/whoami"
            }
          }
        }
    
        authorization policy mypolicy {
          set auth url /auth/
          crypto key sign-verify [...]
          allow roles people people2
        }
      }
    }
    
    [...]:443/* {
      #Protected super secret part of website
      redir /foo /foo/
      handle_path /foo/* {
        route {
          authorize with mypolicy
        }
        respond * "foobar website" 200
      }
    
      handle {
        route /auth* {
          authenticate * with myportal
        }
    
        #unprotected landing page
        reverse_proxy nginx:80
      }
    }
    

    Version Information

    Provide output of caddy list-modules -versions | grep git below:

    Caddy version is v2.4.6 running in docker. Above command yields no results with grep git. Without it it looks like

    [...] 
    
      Standard modules: 83
    
    http.authentication.providers.authorizer v1.0.6
    http.handlers.authenticator v1.0.6
    security v1.0.6
    
      Non-standard modules: 3
    
      Unknown modules: 0
    
    

    Expected behavior

    A successful login

    Additional context

    Caddy logs:

    [Note: User entry follows]
    caddy_1  | {"level":"debug","ts":1643228260.8880885,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228260.8909764,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228260.8923666,"logger":"security","msg":"LDAP search succeeded","server":"ldap://login_system_glauth_1:389","entry_count":0,"search_base_dn":"DC=[...],DC=DE,OU=[...]","search_user_filter":"(|(name=[foo])(mail=[foo]))","users":[]}
    caddy_1  | {"level":"debug","ts":1643228260.9456468,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
    caddy_1  | {"level":"debug","ts":1643228260.9464517,"logger":"security","msg":"next user authorization checkpoint","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"5ce045e3-cdb6-4c07-8940-a615318dca25","data":{"action":"auth","title":"Password Authentication","view":"password_auth"}}
    
    [Note: Password entry]
    caddy_1  | {"level":"debug","ts":1643228269.0140665,"logger":"security","msg":"user authorization sandbox","sandbox_id":"AGrfuqfC377A6TzZYt6mYPFlKR9gK3YF8b93QH11stXLMh","sandbox_secret":"Edtvxjl3AIukviHXjEjstxPimZRzFRgEdQgjKUPU","sandbox_partition":"password-auth","checkpoints":[{"name":"Authenticate with password","type":"password"}]}
    caddy_1  | {"level":"debug","ts":1643228269.0155284,"logger":"security","msg":"LDAP dialer setup succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"debug","ts":1643228269.01613,"logger":"security","msg":"LDAP binding succeeded","server":"ldap://login_system_glauth_1:389"}
    caddy_1  | {"level":"warn","ts":1643228269.0173078,"logger":"security","msg":"user authorization checkpoint failed","session_id":"pAJ0OR8hQL5NuWH0638JbOpq7JozxxTp6zfjm7","request_id":"3a4848b6-9f80-47c5-bca7-e8bab3a71cf2","error":"Password authentication failed. Please retry"}
    

    Structure of glauth users:

      name = "fbar"
      givenname = "foo
      sn = "bar"
      mail = "[email protected]"
      unixid = 5003
      primarygroup = 5501
      passsha256 = "foofoobarbar"
      otherGroups = [ 5551 ]
    

    glauth output:

    glauth_1      | 19:45:40.200821 Bind ▶ DEBU 025  "level"=6 "msg"="Bind request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.201705 Bind ▶ DEBU 026  "level"=6 "msg"="Bind success"  "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.202217 Search ▶ DEBU 027  "level"=6 "msg"="Search request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=[foo])(mail=[foo]))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38570,"Zone":""}
    glauth_1      | 19:45:40.203287 Search ▶ DEBU 028  "level"=6 "msg"="AP: Search OK"  "filter"="(|(name=[foo])(mail=[foo]))"
    glauth_1      | 19:45:44.544377 Bind ▶ DEBU 029  "level"=6 "msg"="Bind request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.544462 Bind ▶ DEBU 02a  "level"=6 "msg"="Bind success"  "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.544891 Search ▶ DEBU 02b  "level"=6 "msg"="Search request"  "basedn"="dc=[...],dc=de,ou=[...]" "binddn"="cn=[management user specified in Caddyfile],dc=[...],dc=de,ou=[...]" "filter"="(|(name=nobody)(mail=nobody))" "scope"=2 "searchbasedn"="dc=[...],dc=de,ou=[...]" "src"={"IP":"172.28.0.7","Port":38572,"Zone":""}
    glauth_1      | 19:45:44.545011 Search ▶ DEBU 02c  "level"=6 "msg"="AP: Search OK"  "filter"="(|(name=nobody)(mail=nobody))"
    
    feature ldap 
    opened by glubii 17
  • question: Use special claim from access token while using azure oauth

    question: Use special claim from access token while using azure oauth

    A clear and concise description of what you want to accomplish.

    I use Caddy for authorization with Azure Active directory. In the original access token I see a upn claim field that I want to use later in a header field (using: inject header "X-User" from upn). But it seems I cannot get access to the claim fields. How can I add more original claim fields to the access token information generated by Caddy?

    question need triage 
    opened by mzehrer 2
  • allow a group as role option

    allow a group as role option

    use case

    the first attribute from a ldap groups dn is already the role attribute we want, eg: cn=Role1,ou=Groups,dc=example,dc=com

    suggested implementation

    instead of

    groups {
    	"ou=mathematicians,dc=example,dc=com" authp/admin
    	"ou=scientists,dc=example,dc=com" authp/user
    }
    

    allow the config syntax

    groups auto_map
    

    the underlying code should then pull the first attribute from each retrieved ldap group into a role, eg:

    • "ou=mathematicians,dc=example,dc=com" –> mathematicians
    • "ou=scientists,dc=example,dc=com" –> scientists

    this can be done by extracting the text between the first '=' (equal) and the first ',' (comma) signs.

    alternative

    for some people it might be better to pull the entire dn into a role, eg:

    • "ou=mathematicians,dc=example,dc=com" –> ou=mathematicians,dc=example,dc=com
    • "ou=scientists,dc=example,dc=com" –> ou=scientists,dc=example,dc=com

    allow the config syntax for this:

    groups auto_dn_map
    
    feature need triage 
    opened by terefang 0
  • ldap group matching should be done case insensitive

    ldap group matching should be done case insensitive

    ldap group matching should be done case insensitive

    use case: virtual federated directory

    the case of the attributes and values is not predicable and can also be mixed, eg.:

    • cn=MyGroup1,ou=groups,dc=example,dc=com
    • CN=myGroup2,ou=Groups,dc=example,dc=com
    • cn=MYGROUP3,OU=Groups,DC=example,DC=com
    • CN=mygroup3,ou=GROUPS,DC=example,DC=com
    • etc etc

    i was also informed by the (my) ldap admins that any software accessing the directory is assumed to always do case-insensitive matching and this requirement cannot be changed.

    prior art

    at least all of the java libraries that i know of use case-insensitive matching (JLDAP, UnboundID, JNDI)

    suggested action

    simply lowercase all the ldap group DNs from the config and responses before matching.

    need triage breakfix 
    opened by terefang 0
  • breakfix: local storage not working?

    breakfix: local storage not working?

    Describe the issue

    Trying to set up Caddy to do reverse proxy in a Windows environment.

    1. bcrypt-cli is deprecated. How to create bcrypt hashes that work in local storage? PyPl's bcrypt hashes don't seem to work.
    2. Where is users.json on a Windows environment? No file is auto-created across the Appdata/Roaming/caddy folder
    3. What are the other hash algorithms available? bcrypt is no longer recommended, and scrypt is encouraged instead...
    4. Is my token lifetime set right? Couldn't figure it out from your documentation if i'm doing it right

    Configuration

    Paste full Caddyfile below:

    {
            
            security {
                    local identity store localdb {
                            realm local
                            path {$HOME}/.local/caddy/users.json
                    }
    
                    authentication portal myportal {
                            crypto default token lifetime 36000
                            enable identity store localdb       
                    }
            }
    }
    
    
    domain.example.com {
            route {
                    authenticate with myportal
            }
            reverse_proxy localhost:8989
    
    }
    

    Version Information

    Provide output of caddy list-modules -versions | grep git below:

    PS C:\Users\username\Documents\caddy> .\caddy_windows_amd64_custom.exe list-modules --versions
    admin.api.load v2.6.2
    admin.api.metrics v2.6.2
    admin.api.pki v2.6.2
    admin.api.reverse_proxy v2.6.2
    caddy.adapters.caddyfile v2.6.2
    caddy.config_loaders.http v2.6.2
    caddy.listeners.http_redirect v2.6.2
    caddy.listeners.tls v2.6.2
    caddy.logging.encoders.console v2.6.2
    caddy.logging.encoders.filter v2.6.2
    caddy.logging.encoders.filter.cookie v2.6.2
    caddy.logging.encoders.filter.delete v2.6.2
    caddy.logging.encoders.filter.hash v2.6.2
    caddy.logging.encoders.filter.ip_mask v2.6.2
    caddy.logging.encoders.filter.query v2.6.2
    caddy.logging.encoders.filter.regexp v2.6.2
    caddy.logging.encoders.filter.rename v2.6.2
    caddy.logging.encoders.filter.replace v2.6.2
    caddy.logging.encoders.json v2.6.2
    caddy.logging.writers.discard v2.6.2
    caddy.logging.writers.file v2.6.2
    caddy.logging.writers.net v2.6.2
    caddy.logging.writers.stderr v2.6.2
    caddy.logging.writers.stdout v2.6.2
    caddy.storage.file_system v2.6.2
    events v2.6.2
    http v2.6.2
    http.authentication.hashes.bcrypt v2.6.2
    http.authentication.hashes.scrypt v2.6.2
    http.authentication.providers.http_basic v2.6.2
    http.encoders.gzip v2.6.2
    http.encoders.zstd v2.6.2
    http.handlers.acme_server v2.6.2
    http.handlers.authentication v2.6.2
    http.handlers.copy_response v2.6.2
    http.handlers.copy_response_headers v2.6.2
    http.handlers.encode v2.6.2
    http.handlers.error v2.6.2
    http.handlers.file_server v2.6.2
    http.handlers.headers v2.6.2
    http.handlers.map v2.6.2
    http.handlers.metrics v2.6.2
    http.handlers.push v2.6.2
    http.handlers.request_body v2.6.2
    http.handlers.reverse_proxy v2.6.2
    http.handlers.rewrite v2.6.2
    http.handlers.static_response v2.6.2
    http.handlers.subroute v2.6.2
    http.handlers.templates v2.6.2
    http.handlers.tracing v2.6.2
    http.handlers.vars v2.6.2
    http.matchers.expression v2.6.2
    http.matchers.file v2.6.2
    http.matchers.header v2.6.2
    http.matchers.header_regexp v2.6.2
    http.matchers.host v2.6.2
    http.matchers.method v2.6.2
    http.matchers.not v2.6.2
    http.matchers.path v2.6.2
    http.matchers.path_regexp v2.6.2
    http.matchers.protocol v2.6.2
    http.matchers.query v2.6.2
    http.matchers.remote_ip v2.6.2
    http.matchers.vars v2.6.2
    http.matchers.vars_regexp v2.6.2
    http.precompressed.br v2.6.2
    http.precompressed.gzip v2.6.2
    http.precompressed.zstd v2.6.2
    http.reverse_proxy.selection_policies.cookie v2.6.2
    http.reverse_proxy.selection_policies.first v2.6.2
    http.reverse_proxy.selection_policies.header v2.6.2
    http.reverse_proxy.selection_policies.ip_hash v2.6.2
    http.reverse_proxy.selection_policies.least_conn v2.6.2
    http.reverse_proxy.selection_policies.random v2.6.2
    http.reverse_proxy.selection_policies.random_choose v2.6.2
    http.reverse_proxy.selection_policies.round_robin v2.6.2
    http.reverse_proxy.selection_policies.uri_hash v2.6.2
    http.reverse_proxy.transport.fastcgi v2.6.2
    http.reverse_proxy.transport.http v2.6.2
    http.reverse_proxy.upstreams.a v2.6.2
    http.reverse_proxy.upstreams.multi v2.6.2
    http.reverse_proxy.upstreams.srv v2.6.2
    pki v2.6.2
    tls v2.6.2
    tls.certificates.automate v2.6.2
    tls.certificates.load_files v2.6.2
    tls.certificates.load_folders v2.6.2
    tls.certificates.load_pem v2.6.2
    tls.certificates.load_storage v2.6.2
    tls.client_auth.leaf v2.6.2
    tls.get_certificate.http v2.6.2
    tls.get_certificate.tailscale v2.6.2
    tls.handshake_match.remote_ip v2.6.2
    tls.handshake_match.sni v2.6.2
    tls.issuance.acme v2.6.2
    tls.issuance.internal v2.6.2
    tls.issuance.zerossl v2.6.2
    tls.stek.distributed v2.6.2
    tls.stek.standard v2.6.2
    
      Standard modules: 99
    
    dns.providers.cloudflare v0.0.0-20220916142955-815abbf88b27
    dynamic_dns v0.0.0-20220916142711-87eacc5e2482
    dynamic_dns.ip_sources.simple_http v0.0.0-20220916142711-87eacc5e2482
    dynamic_dns.ip_sources.upnp v0.0.0-20220916142711-87eacc5e2482
    http.authentication.providers.authorizer v1.1.15
    http.handlers.authenticator v1.1.15
    security v1.1.15
    
      Non-standard modules: 7
    
      Unknown modules: 0
    PS C:\Users\username\Documents\caddy>
    

    Expected behavior

    A simple config file that shows this working

    need triage breakfix 
    opened by sagz 2
  • Bypass Auth for Internal Addresses

    Bypass Auth for Internal Addresses

    I've got the authentication all setup and I am very happy with the protection it gives me. My only question is if it's possible for me to allow either an internal network to bypass the authentication or if I can somehow use certificates on my devices to auto auth? I looked through the documentation, and I saw some stuff that might be what I wanted but I wasn't sure.

    Thanks!

    feature network acl 
    opened by jjmoffitt 1
  • question: bcc

    question: bcc

    A clear and concise description of what you want to accomplish.

    First of all, caddy security is awesome! My only problem is that I dont get a copy when people sign up. I have a bcc-row but nothing is sent. Am I doing something wrong?

    Regards Joel

    question messaging messaging-email 
    opened by smurfb 2
Releases(v1.1.16)
  • v1.1.16(Nov 7, 2022)

    • upgrade to caddy v2.6.2
    • fix: setting meta UI title
    • upgrade to go-authcrunch v1.0.37
      • mfa: add support for windows hello
      • update go.mod and add css colors for discord
      • oauth: added support for discord oath provider (see greenpau/go-authcrunch#27 and Discord docs)
      • sso: implement metadata.xml handler
    Source code(tar.gz)
    Source code(zip)
  • v1.1.15(Aug 21, 2022)

    • github: upgrade workflow to go1.18
    • authn: add sso provider directives
    • upgrade to github.com/greenpau/go-authcrunch v1.0.36
      • fix login hint bug (greenpau/go-authcrunch/issues/23)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.14(Jun 20, 2022)

    • cookie: if domain and insecure specified then set for all (#124)
    • ui: add disable settings page directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.35
      • ui: generate nav menu for settings page
      • ui: format login template
      • ui: remove debug from login template
      • ui: hide login form links (greenpau/caddy-security#101, authp/authp.github.io#23)
      • ui: add apps templates - aws sso and mobile access
      • ui: minify css assets
    Source code(tar.gz)
    Source code(zip)
  • v1.1.13(Jun 13, 2022)

    • ids/ldap: add fallback roles directive (#120)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.34
      • ids/ldap: add support for fallback roles (#120)
      • ui: convert sandbox template to tailwindcss
    Source code(tar.gz)
    Source code(zip)
  • v1.1.12(Jun 6, 2022)

    • ui: add meta title, author, description directives (authp/authp.github.io#31)
    • oauth: add enable logout directive (authp/authp.github.io#30)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.33
      • oauth: add enable logout facilities
      • ui: convert portal and whoami templates to tailwindcss
      • ui: change go/template ref from Title to PageTitle
      • settings: fix logic for non-local identity stores
      • ui: convert register template to tailwindcss
    Source code(tar.gz)
    Source code(zip)
  • v1.1.11(Jun 3, 2022)

    • add enable id_token cookie [<cookie_name>] Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.32
      • oauth: add auth portal cookie for storing identity provider id_token (authp/authp.github.io#28)
      • oauth: implement ending session via oauth provider logout url
      • oauth: fix typo in javascript-based redirect
      • whoami: add custom claims to json response (greenpau/caddy-security#102)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.10(May 26, 2022)

  • v1.1.9(May 23, 2022)

    upgrade to github.com/greenpau/go-authcrunch v1.0.30

    • template/login: add login QR code handler

    qr_code_demo

    • github: add open collective funding link
    • oauth: Ability to provide scopes from the request into the security backends (#19)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.8(May 20, 2022)

    🔥All! Please ask your employers to support this project via Open Collective. 🔥

    • ui: redesign login template (moving towards TailwindCSS and jQuery for user management UI)
    • cookie: add support for domain stripping (#107)

    login_template_redesign

    Source code(tar.gz)
    Source code(zip)
  • v1.1.7(May 10, 2022)

  • v1.1.6(May 7, 2022)

    • upgrade to github.com/greenpau/go-authcrunch v1.0.27
      • idp: extract roles and groups from oauth userinfo (#93)
      • Sanitize referrer url on Generic html template (greenpau/go-authcrunch#15)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.5(Apr 24, 2022)

  • v1.1.4(Apr 18, 2022)

    • idp: add directive for icon name, text, color (doc)
    • oauth: add directive for userinfo field extraction (#87)
    • upgrade to github.com/greenpau/go-authcrunch v1.0.24
      • authorize: implement header injection of nested fields (doc)
      • oauth: add fetching of openid userinfo (#13)
      • Remediate CodeQL Issues
    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Apr 10, 2022)

  • v1.1.2(Apr 3, 2022)

    • oauth: add configuration option to for email field check (#77). If disable email claim check is present, there will be no check for the presence of email field in a token received from IdP.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.1(Apr 2, 2022)

    • upgrade to go-authcrunch v1.0.21
      • refactor auth proxy for basic and api key auth
      • add file system based messaging
      • switch from github.com/satori/go.uuid to github.com/google/uuid
    Source code(tar.gz)
    Source code(zip)
  • v1.0.19(Mar 30, 2022)

    🔥BREAKING (BUT NECESSARY) CHANGES 🔥See https://github.com/greenpau/caddy-security/issues/83#issue-1186529107

    • upgrade to github.com/greenpau/go-authcrunc v1.0.20
      • split backends to identity stores and providers
      • oauth: use first available key to validate token when kid not found (greenpau/caddy-security#77)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.18(Mar 23, 2022)

  • v1.0.17(Mar 5, 2022)

  • v1.0.16(Feb 16, 2022)

    • upgrade to github.com/greenpau/go-authcrunch v1.0.17
      • oauth: add javascript-based callback (greenpau/caddy-security#48)
      • cmd: add authdbctl connect command
      • oauth: change http client in fetchMetadataURL to use the client that uses proxy from environment (greenpau/go-authcrunch#5)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.15(Feb 12, 2022)

  • v1.0.14(Feb 11, 2022)

    • registration: add admin email Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.15
      • transforms: add injection of multi-level nested maps
      • registration: improve ui
      • oauth: add jwks tests (greenpau/caddy-security#48)
      • oauth: add jwks validation checks for HS and ES keys
      • oauth: add jwks support for HS and ES keys
      • oauth: add jwks support for enc usage field
      • registration: add new email templates
    Source code(tar.gz)
    Source code(zip)
  • v1.0.13(Feb 6, 2022)

    • add enable admin api Caddyfile directive
    • upgrade to github.com/greenpau/go-authcrunch v1.0.14
      • cookie: add multi-domain config for single portal (greenpau/caddy-security#43)
      • admin api: add metadata endpoint
      • config: add admin api config
      • messaging: modify email format (greenpau/caddy-security#26)
      • bugfix: fix authorization bypass issue (greenpau/caddy-security#44)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.12(Feb 2, 2022)

    upgrade to github.com/greenpau/go-authcrunch v1.0.13

    • kms: add crypto default key kid handling
    • sandbox: add logging for failed auth attempts (greenpau/caddy-security#42)
    • registration: add email notification capability
    • saml: add upn and oid metadata ms attributes
    Source code(tar.gz)
    Source code(zip)
  • v1.0.11(Jan 31, 2022)

    • Add login hint Caddyfile directive
    • registration: add email provider directive
    • add placeholder handling for ui and registration
    • upgrade to github.com/greenpau/go-authcrunch v1.0.12
      • Implement forwarding of login hint to auth URL
      • config: add provider and credentials checks for user registration
      • registration: modify registration flow and ui template
    Source code(tar.gz)
    Source code(zip)
  • v1.0.10(Jan 29, 2022)

  • v1.0.9(Jan 29, 2022)

  • v1.0.8(Jan 28, 2022)

  • v1.0.7(Jan 28, 2022)

    🔥MUST UPGRADE! 🔥

    • bugfix: empty placeholders in crypto configs
    • upgrade to github.com/greenpau/go-authcrunch v1.0.9
      • acl: add match any and negative match logic, no match role foo
      • acl: add support for field exists and not exists, e.g. field role exists or field metadata not exists (greenpau/caddy-security#5)
      • fix: custom css and js directive handling (greenpau/caddy-security#33)
    Source code(tar.gz)
    Source code(zip)
  • v1.0.6(Jan 24, 2022)

    • Added verbose error messages for unauthorized connections. It captures source IP address in HTTP requests and source IP address in TCP connections.
    • upgrade to github.com/greenpau/go-authcrunch v1.0.8
      • validator: pass requests.AuthorizationRequest to downstream functions
      • validator: add user metadata for failed authorizations
    Source code(tar.gz)
    Source code(zip)
Owner
Paul Greenberg
Love tinkering with tech! Current interests are VR, Oculus, Unity
Paul Greenberg
manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow

oidc-wireguard-vpn manipulate WireGuard with OpenID Connect Client Initiated Backchannel Authentication(CIBA) Flow Requirements Linux WireGuard nftabl

Kurochan 28 Oct 7, 2022
an stateless OpenID Connect authorization server that mints ID Tokens from Webauthn challenges

Webauthn-oidc Webauthn-oidc is a very minimal OIDC authorization server that only supports webauthn for authentication. This can be used to bootstrap

Arian van Putten 16 Nov 6, 2022
Golang OpenID Connect Client

adhocore/goic GOIC, Go Open ID Connect, is OpenID connect client library for Golang. It supports the Authorization Code Flow of OpenID Connect specifi

Jitendra 22 Nov 12, 2022
An OpenID Connect reference implementation in Golang

oidc-go-client An OpenID Connect reference implementation in Golang Getting started First clone the repository: git clone https://github.com/yufuid/oi

Yufu Identity 2 Dec 3, 2021
An implementation for an OpenID Connect Provider in Go.

oidc-go This is an implementation of an OpenID Connect Provider (OP) as defined by OpenID that is meant to be a full, production ready OP. Features: E

Anish Sinha 5 Oct 7, 2022
A cli to asist developers in development and testing locally against OpenId Connect.

oidc-cli oidc-cli assists developers in automating authorization flow for local development and testing purpose. Installation Download the program fro

null 0 Feb 7, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 34 Sep 29, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 4.6k Nov 27, 2022
🔥 Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

?? Golang Rest Api with basic JWT Authentication and Basic Crud Operations.

Junaid Javed 19 Oct 4, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
Example of a simple application which is powered by a third-party oAuth 2.0 server for it's authentication / authorization. Written in Golang.

go mod init github.com/bartmika/osin-thirdparty-example go get github.com/spf13/cobra go get github.com/openshift/osin go get github.com/openshift/osi

Bartlomiej Mika 0 Jan 4, 2022
Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider

dispans Go library providing in-memory implementation of an OAuth2 Authorization Server / OpenID Provider. The name comes from the Swedish word dispen

Xenit AB 3 Dec 22, 2021
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Adam Lloyd 24 Sep 2, 2020
Goauth - Basic username password cookie based authentication with Go Lang

goauth [WIP] Basic username password cookie based authentication with Go Lang Overview Use a Postgres DB to store Sign-in and Sign-up info Redis for c

Joseph Chen 0 Jan 4, 2022
GOAuth An Oauth consumer Written in Go V 0.0.5

GOAuth ====== This is the source code repository for the GOAuth an OAuth consumer written on the Go programming language. Copyright 2010 The GOAuth

null 50 Feb 11, 2021
[NO LONGER MAINTAINED} oauth 2 server implementation in Go

hero hero is a feature rich oauth 2 server implementation in Go. Features User account management Client management oauth 2 rfc 6749 compliant Configu

Geofrey Ernest 213 Nov 18, 2022
OAuth 1.0a implementation in Go

Package oauth1a Summary An implementation of OAuth 1.0a in Go1. API reference Installing Run: go get github.com/kurrik/oauth1a Include in your source

Arne Roomann-Kurrik 24 Aug 23, 2022
OAuth 1.0 implementation in go (golang).

OAuth 1.0 Library for Go (If you need an OAuth 2.0 library, check out: https://godoc.org/golang.org/x/oauth2) Developing your own apps, with this libr

Matt Jones 264 Nov 22, 2022
A library for performing OAuth Device flow and Web application flow in Go client apps.

oauth A library for Go client applications that need to perform OAuth authorization against a server, typically GitHub.com. Traditionally,

GitHub CLI 350 Nov 21, 2022